Apache/php disable_function

diablo666

Verified User
Joined
Jan 31, 2007
Messages
12
Location
Udine
Hi all, this is my first post in this forum.

I've a problem that i couldn't solve and i don't know if there's a way to solve it.

In my php.ini i've a list of disabled function as the one shown above

disable_functions = system, proc_open, proc_close, popen, passthru, shell_exec, dl, show_source, highlight_file, pcntl_exec

this works fine for me, but i've a problem with the webmail of my servers, because the function exec must be disabled to let the webmail (squirrelmail) works.

So my question is... is it possibile to enable a function only for a particular virtual host? or let all all the function anabled for a particular directory?
 
Last edited:
I encountered the same problem recently. The only solution I've found is to use the (very useful, in my opinion) "Suhosin" security extension for PHP, and set its suhosin.executor.func.blacklist parameter in php.ini, instead of using PHP's disable_functions directive. I have mine set to the following, which I believe covers a lot of the more "dangerous" functions but is by no means exhaustive (I also have dl() disabled with "enable_dl = Off" in php.ini):

Code:
suhosin.executor.func.blacklist = apache_note,apache_setenv,closelog,debugger_off,debugger_on,define_syslog_variables,escapeshellarg,escapeshellcmd,exec,ini_restore,openlog,passthru,pclose,pcntl_exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,syslog,system,url_exec

This can then be set on a per-virtualhost or per-directory basis, which I did by logging into DA as admin, and under Custom HTTPD Configurations, adding the following to the relevant domain:

Code:
# Omit the <Directory>...</Directory> section to apply settings globally in the VirtualHost. I usually copy my settings for the blacklist from php.ini, and then remove any needed functions from it when pasting here, thus permitting them.

<Directory /home/user/domains/example.com/public_html/safe-php-scripts>
php_admin_value suhosin.executor.func.blacklist list-of-functions-to-disable
</Directory>

Suhosin also provides a whitelist option, if you feel like working out which functions your PHP code uses... I know I don't. :D
 
Last edited:
You can also allow exec to be used and install a patch into php called exec_dir, its like the safe_mode_exec_dir only that it works without safe mode being on. You just define what directory you want to allow people to exec from and symlink or copy the files into there that people are allowed to use. This stops them from using things like wget or sh of harmful scripts and allows things like imagemagick to work.
 
This are very good solutions, but i've to use on a production server, and i couldn't recompile the php system.

At this point i think there's no solution for my problem without recompiling php with some patch.
 
Suhosin is also available for use as an extension, which means you do not need to recompile PHP to make it work. I installed it on my DA installation last night and it plays nicely with all the PHP scripts that I use on that machine.

Installing it . . . or learning how to deal with PHP security will become more important as March is intended to be the month in which a daily PHP bug is released.
 
Yes i've seen some days ago that it's installable as an extension. As soon as i've a little time i'll test it, tnx a lot for the support
 
OK i've installed as an extension, it works perfectly, now i'll try to configure some parameter to aument the quantitiy of logging.

Tnx a lot for suggestions

I've disable a lot of functions on all the directory except one, enebled those again with something like this

<Directory /usr/share/squirrelmail>
Options None
AllowOverride None
Order allow,deny
Allow from all
php_admin_value suhosin.executor.func.blacklist " "
</Directory>

In this way in the directory /usr/share/squirrelmail i can execute all the code i want even if in the php.ini i've disable a lot of function like

suhosin.executor.func.blacklist = system, exec, proc_open, proc_close, popen, passthru, shell_exec, dl, show_source, highlight_file, pcntl_exec, ......

Tnx a lot again to all has helped me solve this problem ;)
 
Last edited:
great info, i will put it in my notes.
this works indeed very well if you want to use disable_functions in general
 
Hi

Some help please :

I've installed suhosin and it works.

In phpinfo, I see :

suhosin.executor.func.blacklist
Code:
system, shell_exec, exec, passthru, php_uname, popen, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setgid, posix_uname, proc_close, proc_nice, proc_open, proc_terminate

Now, I want to allow exec for one domain.

So I go in directadmin, in HTTPD conf
In first window, I paste :
Code:
php_admin_value suhosin.executor.func.blacklist 'system, shell_exec, passthru, php_uname, popen, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setgid, posix_uname, proc_close, proc_nice, proc_open, proc_terminate'
or
Code:
php_admin_value suhosin.executor.func.blacklist system, shell_exec, passthru, php_uname, popen, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setgid, posix_uname, proc_close, proc_nice, proc_open, proc_terminate
But apache crashes.
Have you an idea ?

What is exact syntax ?

Thanks
 
Back
Top